For years, the UK has talked about digital identity as the key to faster onboarding, reduced fraud, better customer experiences, and stronger compliance. And yet, in much of regulated industry, the day-to-day reality has barely shifted. Why? Because compliance culture doesn’t move on optimism. It moves on defensible certainty.
Until now, most compliance officers have been understandably risk-averse. Not because they dislike digital identity, but because they know what happens when a control fails: remediation programmes, supervisory challenge, awkward audit findings and reputational consequences.
Even when the Joint Money Laundering Steering Group (JMLSG) referenced digital identity in June 2020, it was not enough to change mindsets or practices at scale. JMLSG guidance is influential, but it did not create the kind of hard-edged confidence that makes large firms redesign onboarding and lifecycle controls. It’s one thing for digital identity to be mentioned in guidance, it’s another for it to feel like it is part of the core compliance architecture. And the JMLSG never updated their guidance to recognise the Government’s certified Digital Identity and Attributes Trust Framework (UKDIATF).
That’s why updates to the Money Laundering Regulations (MLRs), which explicitly references Digital Verification Services (DVS) and the UKDIATF, matter. It’s the difference between digital identity sitting on the edge of the compliance conversation and digital identity being pulled into the centre of it.
Why the MLRs matter now
The MLRs are the legal backbone of UK anti-money laundering compliance. They define what regulated firms must do for Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing monitoring.
When the MLRs move, the whole market pays attention. Procurement teams change requirements. Risk teams update control frameworks. Audit teams update their expectations. Product teams can finally justify the rebuilds they’ve wanted to make for years. The key point is that MLR changes don’t just affect banks. They potentially affect a whole set of regulated sectors where identity verification is a frontline compliance control.
Who this touches across the regulated economy
The MLR regime covers a wide set of regulated “relevant persons”, or “supervisory populations”. The core groups include:
- Banks and other credit institutions
- Payment institutions and e-money firms
- Auditors
- Insolvency practitioners
- External accountants and tax advisers
- Independent legal professionals
- Trust and company service providers
- Estate agents and letting agents
- High-value dealers
- Art market participants
- Casinos and certain gambling operators
- Cryptoasset exchange providers
- Custodian wallet providers
- Bill payment service providers
- Telecoms, post and transport services handling certain financial flows
- Other specified financial intermediaries
The labels vary slightly depending on how supervision is organised, but the point is simple: this is not a niche financial services change. It is a cross-economy change, affecting sectors from gambling to property to professional services.
What the DVS and UKDIATF change in practice
The DVS and UKDIATF are, in effect, an attempt to turn “digital identity” from a thousand bespoke implementations into a market with shared rules.
The DVS provides the route to registered, certified services. The UKDIATF defines the expectations that sit behind certification: governance, security, fraud controls and assurance. In plain terms, it’s the difference between saying “trust us, we do good identity checks” and being able to point to a recognised framework that sets out what “good” means.
Now that the MLRs explicitly recognise the DVS and UKDIATF, it gives compliance officers something they’ve been missing, which is a stronger, more standardised footing for saying “yes” without feeling like they’re stepping off a cliff. That matters because the biggest obstacle to adoption has not been technical capability. It has been confidence.
What this could mean, sector by sector
Different sectors are likely to move at different speeds, based on factors such as supervisory posture and operational maturity.
Financial services
Challenger banks, digital first lenders, payment institutions and e-money firms are likely to move first, where transactional digital identity verification is already industrialised, heavily budgeted and closely supervised. What’s new is the option for citizens to use reusable digital identity wallets in this context, as well as in many areas of their lives.
But movement in the wider sector will take time. The first wave won’t be “rip out onboarding and replace it.” The first wave is likely to be among the most agile organisations and in the places where digital identity adds immediate value and can be defended as proportionate risk management:
- Account recovery
- Step-up verification for suspicious activity or high-risk transactions
- High-risk changes to customer details
- Periodic KYC refresh
- Low-risk retail onboarding
A realistic horizon for broader onboarding adoption, assuming supportive supervisory signals, is 9-18 months. Full-scale, mainstream adoption across product lines tends to be a 12-24 month journey. This is likely to be fuelled by adoption in other sectors, such as changes in alcohol licensing regulations to enable digital ID to be used to prove age in bars and supermarkets.
Cryptoasset firms
Cryptoasset businesses are often faster to adopt new identity controls because they face intense risk pressure, high fraud attempts and constant scrutiny about AML standards.
With the DVS and UKDIATF now explicitly recognised within the MLR context, many crypto firms may accelerate quickly, particularly in onboarding and account recovery use cases. Expect meaningful uptake within 6-12 months.
Gambling
Casinos and certain remote gambling operators are within MLR scope and already operate with a blend of checks, thresholds and triggers.
With the updated MLRs pointing clearly toward certified digital identity services, the gambling sector could adopt changes quickly for high-value customer journeys and EDD triggers. However, practical adoption will depend on alignment with the Gambling Commission’s expectations and the pace of sector guidance updates. Expect uptake in 6-18 months.
Legal and accountancy firms
These sectors tend to move carefully because they rely strongly on professional judgement, established document routines and professional body guidance.
Even with the MLR update, adoption will likely be slower unless professional bodies and supervisors clearly incorporate the DVS and UKDIATF approaches into their operational playbooks. Expect 18-36 months for broad, normalised practice change.
Property (estate agents and letting agents)
Property transactions are high-value and high-risk, but the sector remains operationally fragmented and manual.
Digital identity could remove significant friction, especially where identity can be reused across repeat transactions and across different parties in a chain. Adoption could grow steadily over 12-24 months but will depend on supervisory nudges and the practical availability of “plug-in” workflows that smaller firms can manage.
What needs to happen next
Even with the MLRs now naming the DVS and UKDIATF, adoption won’t happen by magic. The market will still look for:
- Supervisory comfort, especially from the Financial Conduct Authority (FCA) for financial services and relevant supervisors for other sectors
- Updated operational guidance, including JMLSG updates that go beyond references and into “here is how to use DVS evidence in practice”
- Clear expectations around audit trails, record-keeping and evidential outputs
- A better shared understanding of liability, accountability and reliance models
- Consistent implementation patterns across certified providers so firms can scale without bespoke engineering each time
In other words, law creates permission, but it’s confidence that creates adoption.
A predicted timeline
With the MLRs now updated, we expect to see:
- In 0-3 months – Firms analyse the text, update procurement language and begin mapping the DVS and UKDIATF outputs to internal AML policies. Early pilots widen.
- In 3-9 months – Expect supervisory commentary, early adopter case studies and expanding rollouts in fintech and crypto. Targeted implementations appear in banks for lifecycle controls.
- In 9-18 months – Broader bank and gambling deployments for defined use cases. Guidance and playbooks begin catching up. Acceptance becomes more standard rather than experimental.
- In 18-36 months – Professional services, property and other slower-moving sectors adopt more systematically, driven by clearer guidance and market normalisation.
What this means for businesses
With the MLRs explicitly recognising the DVS and UKDIATF, it changes the tone of the conversation. Digital identity stops being something that compliance teams tolerate as a pilot and starts becoming something they can justify as part of the mainstream. That’s how markets shift: not when technology becomes possible, but when the compliance incentives and assurance structures finally make “yes” feel safer than “no”.
At Yoti, we believe digital identity should strengthen compliance, reduce fraud and make life easier for genuine customers across all regulated sectors. As the UK regulatory landscape evolves, we will continue working with industry and the government to help organisations adopt digital identity safely, proportionately and effectively.
To prepare your business for the next phase of identity verification, get in touch.
– Julie, Chief Policy & Regulatory Officer
